QUESTION:    Two years ago, we terminated an employee for violating the hospital’s privacy policies.  The former employee has now obtained an employment offer within our community and, as part of his new employment, would need to have remote access to our health system’s EMR.  Is it lawful to allow access, considering the circumstances pursuant to which the employee was terminated?  Should we allow access?  What are the risks?

ANSWER:    Access to a health care organization’s electronic medical record system is a courtesy and privilege and your organization has no obligation to grant “second chance” access to anyone whose access has been previously terminated for non-compliance with the rules governing access to the system.  That being said, there is no legal prohibition to reinstating access for such individuals.  Accordingly, it is within your organization’s discretion to decide whether it will process requests for reinstatement of access and, if so, what process it will use to determine whether reinstatement will be granted and any terms or conditions of reinstatement.  Here are a few things you may wish to consider:

• You may wish to update your internal policies and procedures to state whether requests for reinstatement of access will be considered and, if so, how they will be processed.

For example, consider adding language such as the following:  “if access to the HIT system has been previously terminated for an individual for any reason, that individual may request reinstatement of access by submitting a written request to the privacy officer, who shall have sole authority to determine whether to grant reinstatement.  Requests for reinstatement of access will be considered on a case-by-case basis.  Access to the HIT system is a courtesy and privilege.  There is no right to access.  Accordingly, the privacy officer’s decision regarding reinstatement shall be final, without any right to appeal or other procedures.

• If you decide to consider requests for reinstated access, it is probably best to consider them on a case-by-case basis, rather than adopting a one-size-fits-all process (e.g., “reinstatement will be granted if at least two years has passed since the violation/termination” or “if the underlying violation was determined to be intentional, rather than reckless or negligent, then the individual is ineligible to request reinstatement of access”).

Case-by-case consideration of requests will give your organization more flexibility to consider all of the facts surrounding the prior violation, including the amount of time that has passed, the nature of the violation, whether the employee admitted the violation at the time and took full responsibility, and any mitigating factors (such as the requestor’s subsequent completion of privacy-related education or subsequent work in a health care organization without incident).

Further, you may wish to consider the benefits to the community of granting reinstatement of access (for example, is this a doctor who practices in a needed specialty or a nurse developing a care coordination network for the community’s elderly population?).

In any case where the decision is made to grant reinstatement of access, be sure to document the reasons that support that decision.  This can serve as evidence of your reasoning should there ever be an issue (such as a DHHS surveyor questioning your judgment).  Further, keeping a written record of such decisions will probably help you to be more consistent when making those decisions.  Finally, should the privacy officer’s decision ever be challenged as unfair (i.e., “you reinstated her access, but won’t reinstate mine”), the documentation of why access was reinstated in a prior case can help to demonstrate the justification for any disparity.

• If you choose to grant access to individuals who have previously demonstrated their unwillingness or inability to abide by your privacy rules, consider taking steps to limit your risk.

For example, you may choose to consider requests for reinstatement of access only if the individual submits evidence of having completed substantial (as defined by your organization) re-education or re-training in medical ethics and/or patient privacy.

In addition, you may wish to require the individual – and/or his or her prospective employer – to sign an agreement to indemnify and defend the organization should the individual violate any of the organization’s privacy or security policies.

The agreement should make it clear that the individual will be responsible not only for damages arising from any lawsuit, but also any fines or penalties imposed by the federal or state government, the costs of any breach notifications deemed necessary by the organization, any costs associated with investigation of the privacy or security violation (such as audits by computer experts), and any mitigation deemed necessary by the organization (for example, the purchase of identity theft insurance for patients affected by the violation).

If you are going to request the prospective employer to take responsibility for any future violations by the individual requesting reinstatement, that employer may wish to obtain additional information from your organization regarding why access is not available automatically to the individual in question.  Note that you will want to be careful when sharing information with the prospective employer to avoid any allegations by the former employee that you defamed him/her or violated his/her privacy.  Accordingly, prior to sharing any information about the reasons the individual is not able to obtain access to your EMR without special consideration, you should first have the individual sign an authorization form that specifically authorizes you to speak with the prospective employer and to disclose full details of the circumstances surrounding the individual’s termination from your organization.  That form should also include broad language releasing your organization from liability for any information you share and should state that the individual agrees not to sue you (and will pay your attorneys’ fees and costs if he or she sues you, despite having signed the form, and does not prevail).

Finally, if you choose to grant reinstated access, be sure to limit such access to the minimum necessary and take other practical steps to limit the risk of future violations.  For example, if access is being reinstated to allow a nurse in the community to provide care coordination services for elderly patients with multiple chronic conditions, and if your EMR has the technical capability, consider limiting access to the records of patients over the age of 65.  Also consider setting up regular audits of the individual’s access to your EMR (for example, as a condition of access, you may require the care coordinator to have her employer submit on a weekly basis a list of all patients the coordinator is responsible for.  The HIT department can then run an audit of all EMR records accessed by the care coordinator and compare it against the list to verify appropriate access.  Any names which do not match should be further audited to determine whether there was an appropriate reason for access).